Title: An Assessment of Cybersecurity Knowledge and Practices Among

the Employees of NPCMST

Abstract:
This study assesses the cybersecurity knowledge and practices among the
employees of the Northern Philippines College for Maritime, Science and
Technology (NPCMST). As cyber threats continue to evolve, the role of
employees in safeguarding institutional data and systems becomes
increasingly critical. This quantitative study will utilize a structured survey
questionnaire. The results revealed that while most employees possess
basic awareness of cybersecurity concepts such as password security and
email safety, there are significant gaps in the application of advanced
practices like multi-factor authentication, secure file sharing, and data
encryption. Moreover, a discrepancy was noted between cybersecurity
knowledge and actual behavior, indicating the need for continuous
training and behavioral reinforcement. The study recommends
implementing regular cybersecurity awareness programs and policy
enforcement to strengthen the overall security posture of the institution.
These findings provide valuable insights for enhancing cybersecurity
readiness in academic settings.

Introduction:
In the contemporary digital landscape, organizations across all sectors,
including educational institutions, rely on complex interconnected
information systems for their core functions. This reliance has exposed
them to a sophisticated and ever-evolving array of cyber threats. While
significant investments have been made in technical safeguards such as
firewalls, intrusion detection systems, and encryption, a consistent and
growing body of research identifies the human element as the most
critical and exploited vulnerability (Reeves et al., 2021). Human errors,
whether driven by a lack of awareness, negligence, or an inability to
recognize social engineering tactics, are frequently the initial entry point
for successful cyberattacks, including data breaches and ransomware
incidents (UpGuard, 2025).

The Verizon Data Breach Investigations Report (2022) found that a

staggering 82% of all data breaches involved the human element,
underscoring the urgent need to move beyond a purely technical security
paradigm. This shift requires a socio-technical approach to cybersecurity
that recognizes the intricate interplay between people, processes, and
technology (Malatji et al., 2019). The effectiveness of any security
infrastructure is ultimately dependent on the security consciousness and
behavior of the employees who interact with it daily. For educational
institutions like the National Polytechnic College of Science and
Technology (NPCMST), this challenge is particularly acute. These
environments are characterized by large, open networks and a diverse
user base of faculty, staff, and students, all of whom handle sensitive
information and constitute a broad attack surface (BitLyft, 2025). The
protection of academic records, financial data, and intellectual property is
a non-negotiable responsibility, making the assessment and enhancement
of employee cybersecurity practices a foundational step in fortifying the
institution's defense.
The study of cybersecurity from a human-centric perspective has gained
significant traction in recent years. Researchers have explored the
psychological, sociological, and organizational factors that influence an
individual's security behavior. A central theme in this research is the gap
between knowledge and practice; employees may possess a theoretical
understanding of cybersecurity principles but fail to apply them
consistently in their daily routines (CybSafe, 2023).
Moreover, the nature of human vulnerability such as phishing and social
engineering,
password hygiene and negligence, and organizational culture are the most
commonly encountered. In Phishing and Social Engineering: Phishing
remains one of the most prevalent and effective attack vectors, with
studies consistently showing it accounts for a large percentage of
breaches (Gov.UK, 2025; UpGuard, 2025). The success of phishing
campaigns is a direct reflection of human susceptibility to social
engineering, highlighting the need for continuous, practical training
beyond simple awareness. Studies have shown that even after training,
employees may remain vulnerable (UpGuard, 2025).

Password Hygiene and Negligence: Poor password practices, such as using

weak passwords or reusing them across multiple accounts, present a
significant risk. Research by UpGuard (2025) found that millions of people
still use easily guessable passwords, a clear indicator of a widespread
failure in personal security hygiene.
Organizational Culture: A critical determinant of employee behavior is the
organizational security culture. Research indicates that a positive security
culture, where cybersecurity is seen as a shared responsibility rather than
an IT-only issue, is highly correlated with better security outcomes
(Hughes, 2022). Conversely, a culture that lacks clear security policies or
fails to enforce them can lead to a sense of complacency and increased
risk (Georgiadou et al., 2024).

2.2 Cybersecurity in Educational Institutions

The education sector, particularly higher education, presents a unique set
of challenges. Research by Gov.UK (2025) and UpGuard (2025) both
highlight that higher education institutions are more likely to experience
cyberattacks than businesses overall. This can be attributed to several
factors:

Large and Diverse User Base: The student body and staff create an
extensive and dynamic attack surface, with numerous devices and varying
levels of security awareness.

Abundant Sensitive Data: Institutions hold a wealth of sensitive

information, including personal identifiable information (PII), health
records, financial data, and valuable intellectual property, making them a
prime target for cybercriminals.

Budgetary and Resource Constraints: Many educational institutions

operate on tight budgets, leading to underinvestment in robust technical
infrastructure and comprehensive security training programs (BitLyft,
2025).

2.3 The Role of Effective Training Programs

The literature points to the necessity of moving beyond traditional, "one-
size-fits-all" security training. Studies suggest that effective training
programs must be engaging, interactive, and relevant to an employee's
specific role (Keepnet Labs, 2024; Wijayanti et al., 2025). Gamified
learning, simulated phishing exercises, and mobile-based training have
been shown to be more effective in changing long-term behavior and
improving knowledge retention than static lectures or videos (Wijayanti et
al., 2025). Furthermore, continuous training and communication about
evolving threats are crucial to maintaining a high level of security
vigilance (MDPI, 2022).

3. Research Objectives and Significance

This study is designed to systematically evaluate the current state of
cybersecurity knowledge and daily practices of employees at the National
Polytechnic College of Science and Technology (NPCMST). By employing a
multi-faceted approach, this research aims to achieve the following
objectives:
Assess the level of cybersecurity knowledge among NPCMST employees,
including their understanding of common threats such as phishing,
malware, and social engineering.

Evaluate the daily cybersecurity practices of employees, such as password

management, data handling, and adherence to established security
protocols.

Identify specific gaps and vulnerabilities in the human element of

NPCMST's security posture.

The findings of this assessment will serve as a foundational resource for

the development of targeted, evidence-based cybersecurity training and
awareness programs at NPCMST. By cultivating a more vigilant and
security-conscious culture, this research seeks to empower employees to
act as the first line of defense, thereby significantly enhancing the overall
resilience of the institution against evolving cyber threats. This study
contributes to the broader body of literature by providing a detailed,
empirical assessment within a specific institutional context, offering
practical insights that can inform security strategies in similar educational
organizations.

References
BitLyft. (2025). The State of Higher Education Cybersecurity: Top Insights
and Trends.
CybSafe. (2023). 7 reasons why security awareness training is important
in 2023.
Georgiadou, A., Lakiotaki, K., & Kouris, A. (2024). Cybersecurity when
working from home during COVID-19: considering the human factors.
Oxford Academic.
Gov.UK. (2025). Cyber security breaches survey 2025: education
institutions findings.
Hughes, K. (2022). Cybersecurity Behavior among Government
Employees: The Role of Protection Motivation Theory and Responsibility in
Mitigating Cyberattacks. MDPI.
Keepnet Labs. (2024). 2025 Security Awareness Training Stats and Trends.
Malatji, S., Sefoka, J., & Malatji, R. (2019). Socio-technical systems
cybersecurity framework. ResearchGate.
MDPI. (2022). Cybersecurity Awareness Framework for Academia.
Reeves, S., Aspinall, J., & Lee, M. (2021). The Human Factor in
Cybersecurity: A Review of Employee Engagement and Accountability.
ResearchGate.
UpGuard. (2025). Human Factors in Cybersecurity in 2025.
Verizon. (2022). 2022 Data Breach Investigations Report.
Wijayanti, S., Utari, P., & Al-Hamami, S. (2025). Effectiveness of
Cybersecurity Awareness Program Based on Mobile Learning to Improve
Cyber Hygiene. International Journal of Emerging Technologies in Learning.
Title:
An Assessment of Cybersecurity Knowledge and Practices
Among the Employees of NPCMST
Abstract:
This study assesses the cybersecurity knowledge and practices among the
employees of the Northern Philippines College for Maritime, Science and
Technology (NPCMST). As cyber threats continue to evolve, the role of
employees in safeguarding institutional data and systems becomes
increasingly critical. This quantitative study will utilize a structured survey
questionnaire. The results revealed that while most employees possess
basic awareness of cybersecurity concepts such as password security and
email safety, there are significant gaps in the application of advanced
practices like multi-factor authentication, secure file sharing, and data
encryption. Moreover, a discrepancy was noted between cybersecurity
knowledge and actual behavior, indicating the need for continuous
training and behavioral reinforcement. The study recommends
implementing regular cybersecurity awareness programs and policy
enforcement to strengthen the overall security posture of the institution.
These findings provide valuable insights for enhancing cybersecurity
readiness in academic settings.
Research Questions
 What is the current level of cybersecurity knowledge among
NPCMST employees, including their understanding of common
threats such as phishing, malware, and social engineering?
 What are the daily cybersecurity practices of NPCMST employees,
and how well do they adhere to established security protocols?
 What are the specific gaps and vulnerabilities in the human element
of NPCMST's security posture?

Research Objectives and Significance

This study is designed to systematically evaluate the current state of
cybersecurity knowledge and daily practices of employees at the National
Polytechnic College of Science and Technology (NPCMST). By employing a
multi-faceted approach, this research aims to achieve the following
objectives:
 Assess the level of cybersecurity knowledge among NPCMST
employees, including their understanding of common threats such
as phishing, malware, and social engineering.
  Evaluate the daily cybersecurity practices of employees, such as
password management, data handling, and adherence to
established security protocols.
 Identify specific gaps and vulnerabilities in the human element of
NPCMST's security posture.
The findings of this assessment will serve as a foundational resource for
the development of targeted, evidence-based cybersecurity training and
awareness programs at NPCMST. By cultivating a more vigilant and
security-conscious culture, this research seeks to empower employees to
act as the first line of defense, thereby significantly enhancing the overall
resilience of the institution against evolving cyber threats. This study
contributes to the broader body of literature by providing a detailed,
empirical assessment within a specific institutional context, offering
practical insights that can inform security strategies in similar educational
organizations.